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CONFIGURABLE RULE-ENGINE FOR LAYER-7 
AND TRAFFIC CHARACTERISTIC-BASED CLASSIFICATION 



BACKGROUND OF THE INVENTION 
1 . Field of the Invention 

This invention generally relates to the field of data communication systems. More 
particularly, the invention presents a configurable and extensible rule-engine capable of 
classifying and supporting packet traffic. 



2, Description of Related Art and General Background 

The unprecedented growth of the hitemet has not only increased the amount of 
traffic that communication networks must support, it has also transformed the nature of 
network traffic. The Internet was once relegated to handling hitemet Protocol (IP)-based 

15 transmissions in the form of Telnet, e-mail, and File Transfer Protocol (FTP) traffic 
originating fi-om wired LAN/WAN networks. Since then, the hitemet has evolved into a 
global information infi-astructure capable of accommodating a wide variety of 
applications, such as World-Wide Web (WWW), Voice-over-IP (VoIP) and Audio/Video 
Playback, generated fi-om a diverse set of media, including sateUite, wireless, and optical 

20 platforms. 

Presently, IP-based networks attempt to accommodate the traffic generated by such 
applications by providing a "best-effort" level of service. As such, all IP data packets 
must compete for available bandwidth, as well as processing capabihty and buffer space in 
the network routing devices. The use of IP-based apphcations with real-time/interactive 
25 requirements coupled with the relatively limited bandwidth capacity in access and wireless 
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networks precipitates the need to differentiate between the different traffic flows generated 
by these applications. 

To this end, networks have incorporated classification mechanisms to differentiate 
among the various traffic flows flowing through the network. These mechanisms employ 
packet classification schemes to help identify which data packets receive the necessary 
treatment to ensure a best-effort level of service. 

A common approach implemented by these classification mechanisms is to classify 
the traffic into a static set of coarse traffic classes based on certain apphcation 
C? requirements. Based on these coarse traffic classes, network routing devices provide 

10 differentiated treatment. 
'l! Currently, some classification mechanisms perform packet classification based on 

Layer-4 (Transfer Control Protocol (TCP)/LJser Datagram Protocol (UDP)) Port Numbers. 
Although relatively simple to implement, such classification may be easily deceived by 
i : users manipulating port numbers to achieve higher levels of priority for applications. 

3 15 Moreover, the use of port numbers in applications, although well-known, are not 
mandatory, thereby compromising the efficacy of the Layer-4 classification schemes, hi 
addition, many networks employ hitemet Protocol Security (BPSec) techniques, which 
provide for the secure exchange of packets, but do so at the expense of encrypting 
information above Layer-3 (Network Layer), thus rendering Layer-4 classification futile. 
20 Other classification mechanisms support packet classification based on Layer-7 

(Application Layer) content. Such classification schemes exploit the payload information 
resident in the data packet to better identify the type of application associated with the 
traffic and overcomes the limitations of Layer-4 classification schemes noted above. 
However, Layer-7 classification schemes require a larger, more robust set of rules to 
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operate effectively and is still subject to the classification barriers imposed by IPSec 
techniques. 

Recent efforts, as described in Chapman et al. Automatic Quality of Service in IP 
Networks, Proc. Canadian Conf. On Broadband Research, Ottawa, Canada (April 
5 1997, pp. 184-189), have investigated the use of flow classification schemes, which 
classifies flows based on traffic characteristics. Dynamic flow classification schemes 
examine certain flow quahties, such as, for example, transmitted packet counts and inter- 
arrival times, to determine the class associated with the traffic flow. The set of rules 
associated with dynamic flow classification schemes are, therefore, proportional to the 
10 number of classes in the classification scheme. As such, the rule set maintained by these 
schemes are smaller than the Layer-7 classification schemes. Moreover, because, dynamic 
flow classification schemes examine traffic flow behavior, such schemes may overcome 
the classification barriers imposed by IPSec techniques. 

As noted above, conventional Layer-7 classification mechanisms employ a static 
15 set of rules, which differentiate network traffic into coarse traffic classes. Typically, these 
rules are hard-coded into the classification mechanisms, thus precluding network 
administrators fi-om readily extending, configuring, or modifying the rules. Such rules 
Umit the recognition and classification of traffic generated by the wide variety of 
applications currently supported by networking devices. 
20 Therefore, what is needed is a system and method that provides a greater flexibility 

in classifying network traffic. 
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SUMMARY OF INVENTION 

Systems and methods consistent with the principles of the present invention, as 
embodied and broadly described herein, include a data flow managing mechanism 
configured to identify, track, and manage a data flow and a rule set, which includes a 
5 plurality of rules for comparing information contained within the data flow to pre- 
specified values. The system further includes a configurable classification rule engine for 
classifying the data flow into one of a plurality of traffic classes based on results of the 
comparisons between the rules and the pre-specified values. The configurable 
classification rule engine is configured via a configuration file that specifies and allows for 
10 the modification and reconfiguration of the pre-specified values and information regarding 
the data flow, the rule set, and the traffic classes. 



BRIEF DESCRIPTION OF THE DRAWINGS 

15 FIG. lA depicts a functional block diagram of a classification rule engine system, 

constructed and operative in accordance with an embodiment of the present invention. 

FIG. IB depicts a data structure for a traffic monitoring mechanism, in accordance 
with an embodiment of the present invention. 

FIG. IC illustrates a functional state diagram for TCP-based traffic. 
20 FIG. ID illustrates a function state diagram for UDP-based traffic. 

FIG. IE depicts a data structure for a packet classification rule engine, constructed 
and operative in accordance with an embodiment of the present invention. 
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FIG. 2 A depicts a functional block diagram of a classification rule engine system, 
constracted and operative in accordance with another embodiment of the present 
invention. 

FIG. 2B depicts a data structure for a packet classification rule engine, constructed 
5 and operative in accordance with another embodiment of the present invention. 

FIG. 3 illustrates a configuration file for a packet classification rule engine in 
accordance with an embodiment of the present invention. 

1 0 DETAILED DESCRIPTION OF THE INVENTION 

The following detailed description refers to the accompanying drawings that illustrate 
embodiments of the present invention. Other embodiments are possible and modifications 
may be made to the embodiments without departing from the spirit and scope of the 
invention. Therefore, the following detailed description is not meant to limit the invention. 

1 5 Rather the scope of the invention is defmed by the appended claims. 

The classification rule system, as described herein, is a configurable rule-based 
system capable of classifying network traffic based on application requirements. The 
system employs classification rules that are abstracted from the heuristics and are not 
hard-coded. In one embodiment, the classification system operates under a dynamic 

20 classification scheme, employing a traffic monitoring mechanism to monitor and measure 
certain traffic characteristics from a received data flow and compare those values to the 
rules invoked by the classification rule engine to designate the various classes. In another 
embodiment, the system operates under a Layer-7 classification scheme and examines 
predetermined packets containing certain application information to determine whether 
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certain patterns, indicative of different classes, match the content of the predetermined 
packets. 

FIG. 1 A is a functional block diagram depicting dynamic classification rule engine 
system 100, constructed and operative in accordance with an embodiment of the present 
5 invention. System 100 classifies network traffic based on dynamic classification schemes. 
As indicated in FIG. lA, system 100 comprises flow manager mechanism 102, a traffic 
monitoring mechanism 106, a packet classification rule engine 108, configuration file 300, 
and rule set 110. As will be described below, traffic monitoring mechanism 106 and rule 
set 110, as well as the actions taken by packet classification rule engine 108, may be 
10 defined, initiaUzed, and reconfigured with respect to particular traffic flows in 
configuration file 300. 

Flow manager mechanism 102 is configured to receive the incoming data packets, 
identify and track the traffic flows associated with the received packets, register active 
data flows, and delete inactive data flows. For dynamic classification schemes, flow 
15 manager mechanism 102 may identify the traffic flows based on Source IP Address (SEP), 
Destination IP Address (DIP), Source TCP/UDP Port Number (SP), Destination UDP/TCP 
Port Number (DP) and Protocol Id (PID). Flow manager mechanism 102 may include a 
flow table mechanism 104, which captures the relevant packet information, provides a 
look-up mechanism to identify which traffic flow the receive packet belongs to, and 
20 updates the captured information accordingly. Such updates may include introducing new 
traffic flows or deleting stale traffic flows. 

Traffic monitoring mechanism 106 is configured to measure various characteristics 
and parameters of each traffic flow and provides updates to the flow information resident 
in flow table mechanism 104, whenever a received packet is associated with a particular 



6 



Pillsburv Docket No.: 0270155 



NORTEL Ref.: 1247QR0 



flow. Traffic monitoring mechanism 106 may comprise a plurality of individual monitors 
dedicated to measuring the various traffic flow characteristics and parameters. An 
exemplary sample of individual monitors are summarized in TABLE 1. 



5 TABLE I 



TMName TMTyi 


36 TMDescription 




CPLC 


0 


number of consecutive packets since last state change 




CLP 


1 


number of consecutive long packets having a size > LONG 




CSP 


2 


number of consecutive short packets having a size < SHORT 




AVG BW 


3 


average bandwidth measured over time interval T 




PPS 


4 


average packets-per-second measured over time interval T 




I AVG 


5 


average packet inter-arrival time lava 




PICA 


6 


number of packets with inter-arrival time greater than A = (Lvs + Y*ih^^)) 




PILB 


7 


number of packets with inter-arrival time less than B = (lavs - Y*(Iavs)) 




PS 


8 


number of packets since start of the flow 




Din 


9 


inter-arrival time between current packet and previous packet in flow 




TLP 


10 


time of last packet in flow 




PS AVG 


11 


average packet size measured over time interval T 




SCP 


12 


size of current packet (includes entire packet) 




SCPL 


13 


size of IP payload for current packet 



In one implementation, the values for indicating the size of a long and short packet 
(LONG, SHORT, respectively), as used in monitors CLP and CSP noted above, as well as 

10 time interval T are user-definable. 

FIG. IB depicts the data structure for maintaining an easily extensible set of 
monitors in traffic monitoring mechanism 106. The traffic monitor data structure is 
chained off flow table 104, Although in the illustrated embodiment, flow table 104 is 
depicted as a linked list, flow table 104 may utilize any data structure that maintains the 

15 traffic monitor data structure. As indicated in FIG. IB, each flow entry 104A-J of flow 
table 104 points to a traffic monitor data structure 106 A- J having identifiers 
"TRAFFICMONITORIndex" to identify the traffic monitors. In tum, traffic monitor data 
structure 106 A- J contains at least one entry for every type of traffic monitor supported. 
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Although each monitor type has its own corresponding data structiire 106A1-J1, all 
monitor types share a common set of fields. This common set of fields may be configured 
to include: "TMName" which identifies the monitor via an identifier string (see, TABLE 
I); "TMType," which identifies the monitor type (see, TABLE I); "TMValue/' which 

5 provides the value of an observed parameter, as detected by corresponding monitor; and 
"SCRAP ARRAY(.)" which provides a scrap area, the usage of which will vary depending 
on the requirements of the particular monitor. 

Rule set 110 includes a plurality of rules designed to perform comparisons between 
traffic monitoring mechanism 106 and a configured or pre-specified value. As such, rule 

10 set 110 may include event indicia, indicating the triggering of a rule, condition indicia, 
representing a conditional or comparison statement, and action indicia, indicating the 
execution of an action based on the results of the comparison. Rule set 110 may employ 
comparison operators, such as, GREATER THAN, GREATER THAN OR EQUAL TO, 
EQUAL TO, LESS THAN OR EQUAL TO, and LESS THAN, for example, to effect the 

15 comparisons. Rule set 110 may also employ logical operators, such as, AND, OR, 
NAND, NOR, etc. to chain various rules together. As will be discussed below, rule set 
110 may defined in accordance with rule data structures 158 A, 158B, 168 A, 168B, Based 
on the results rendered by the application of the rule set 110 to the received traffic flow, 
packet classification rule engine 108 reacts to ensure that the received traffic is associated 

20 with the appropriate class. 

Before describing packet classification rule engine 108, it may be instructive to 
generally describe an example of a dynamic classification scheme for two types of traffic 
commonly found in IP-based networks, TCP and UDP traffic. As is well known, TCP is a 
connection-oriented protocol, which guarantees the delivery and sequential order of the 
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transmitted data. UDP is a connection-less protocol, offering little in the way of delivery 
guarantees, but provides a more direct means of sending and receiving data. Fiuther, it is 
to be noted that the depicted dynamic classification schemes, and the rule sets used in 
effecting transitions between classes, are for illustrative purposes and other classification 
5 schemes and rule sets may be implemented without departing firom the thrust of the 
present invention. 

FIG. IC depicts a classification state diagram 125 as well as the TCP rule set for 
the dynamic classification scheme applied to TCP traffic. Interactive Query Response 
(IQR) class 126 represents traffic comprising a small number packets that need to be 

10 transmitted with high priority and little delay due to the interactive nature of the 
appUcation (e.g., voice over IP, WWW, e-commerce applications, etc.). Burst class 128 
represents traffic comprising a medium number of packets that are transmitted in an 
infrequent and bursty manner. Bulk class 130 represents traffic comprising a large 
number packets that are capable of tolerating delays due to large volume transfers (e.g., 

1 5 File Transfer Protocol (FTP) traffic). 

As indicated in FIG, IC, the dynamic classification scheme defaults all new TCP 
flows to IQR class 126. In accordance with rule Ro, if no new TCP packet is detected by 
traffic monitoring mechanism 106 within one second, IQR class 126 transitions to itself. 
In accordance with rule Ri, if traffic monitoring mechanism 106 detects at least two 

20 consecutive TCP packets having a size greater than or equal to LONG (e.g., 512 bytes), 
IQR class 126 transitions to Burst class 128, Such a rule may be implemented in order to 
adequately track and classify consecutive long packets having an occasional short packet 
for separation. In accordance with rule R2, upon traffic monitoring mechanism 106 
detecting ten consecutive TCP packets having a size greater than or equal to LONG, Burst 
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class 128 transitions to Bulk class 130. Finally, In accordance with rule R3, if traffic 
monitoring mechanism 106 does not detect any TCP packets within one second. Bulk 
class 130 transitions back to IQR class 126. 

FIG. ID depicts a classification state diagram 125 as well as the UDP rule set for 
5 the exemplary dynamic classification scheme applied to UDP traffic. Low Rate Real 
Time (LRT) class 126 represents traffic comprising a small number packets that need to be 
transmitted in real time. High Rate Real Time (HRT) class 128 represents traffic 
comprising a large number of packets that need to transmitted in real time. Non-Real 
Time (NRT) class 130 represents traffic that does not require real time transfers. 

10 As indicated in FIG. ID, the dynamic classification scheme defaults all new UDP 

flows to LRT class 136. In accordance with rule Ro, if traffic monitoring mechanism 106 
does not detect any packets for a certain interval of time (e.g., 1 sec), LRT class 136 
transitions to HRT class 140. In accordance with rule Ri, upon traffic monitoring 
mechanism 106 detecting a uni-modal inter-arrival time distribution (e.g., flowing video 

15 packets), HRT class 138 transitions to NRT class 140. Finally, in accordance with rule R2, 
if traffic monitoring mechanism 106 detects transmissions of at least 25 UDP packets per 
second and available bandwidth of at least 50 Kbps, NRT class 140 transitions back to 
LRT class 136. 

FIG. IE depicts a data structure 150 for packet classification rule engine 108. 
20 Packet classification rule engine 108 performs actions to classify the received packets into 
their proper class in response to the information provided by flow manager mechanism 
102 and traffic monitoring mechanism 106. To this end, classification rule engine data 
structure 150 enables a user to specify a configurable number of classes, as well as 
transitions between those classes, based on a configurable set of rules and actions. For 
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purposes of illustration, data structure 150 depicted in FIG. IE is based on the dynamic 
classification schemes 125, 135 developed above for TCP and UDP traffic, respectively. 
Classification rule engine data structure 150 may be configured to accommodate any type 
of IP-based traffic. In the illustrated embodiment, rale engine data structure 150 

5 contemplates the dynamic classification of TCP and UDP traffic by employing 
classification machines that relate to the two traffic types: a TCP classification machine 
data stracture 152 and a UDP classification machine data structure 162. Each 
classification machine data stracture 152, 162 may correspond to three or more classes. 
For example, TCP classification machine data stracture 152 may correspond to IQR class 

10 126, Burst class 128, and Bulk class 130. Similarly, UDP classification machine data 
stracture 162 may contain LRT class 136, HRT class 138, and NRT class 140. The 
invention is not hmited in this respect, however, as more or less classes may be 
implemented. 

As indicated in FIG. IE, classification machine data stractures 152, 162 may share 
15 a common set of fields. This common set of fields may be configured to include: 
"ClassName," which identifies the type of traffic accommodated by the data stracture and 
"Classlndex," which identifies the index number associated with the data stracture. Upon 
determining which classification machine 152, 162 the packets belong to, classification 
rale engine data stracture 150 may employ a pointing mechanism, such as, 
20 "CLASSPointer" to point to traffic class data stractures 154, 164 corresponding to the 
different classes of traffic. 

Traffic class data stractures 154, 164 may share a common set of fields. This 
common set of fields may be configured to include: "Classlndex," which identifies the 
number assigned to the class; "ClassName," which identifies the name of the class; and 
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"Num_Transitions " which identifies the number of transitions each class is capable of 
executing. As indicated in FIG. IE, traffic class data structure 154 for TCP classification 
machine 152 includes Classlndex = "0," "1," and "2" and ClassName = "IQR " "Burst," 
and "Bulk" corresponding to the respective three classes of TCP traffic noted above and 
5 Num_Transitions ^ "2/' "1 " "1" corresponding to the different transitions possible in 
each of the respective classes (see also, FIG. ID). 

Similarly, traffic class data structure 164 for UDP classification machine 162 
includes Classlndex = "0," "1," and "2" and ClassName = "LRT," "HRT," and "NRT" 
corresponding to the respective three classes of UDP traffic noted above and 
10 Num_Transitions = "1 " "1," "1" corresponding to the different transitions possible in 
each of the respective classes (see also, FIG. ID). In addition, traffic class data structures 
154, 164 may also include a pointing mechanism, such as, "TransitionPtr" to point to 
transition data structures 156A, 156B, 166, corresponding to the different transitions 
possible for each class of traffic. 
15 Transition data structures 156 A, 156B, 166, may share a common set of fields. 

This common set of fields may be configured to include: "Transitionlndex," which 
identifies the transition executed by a particular class and "NextRulePtr," which identifies 
the rule associated with the transition executed by the class. If a particular class is capable 
of executing two transitions (e.g., Num_Transitions = 2), transition data structures 156A, 
20 156B, 166 may implement a pointing mechanism, such as, "NextTransitionPtr," to point to 
and facilitate the second transition if the conditions for the first transition were not met 
(i.e., no rule match). If there is are no subsequent transitions, NextTransitionPtr points to 
a NULL state. For example, as indicated in FIG. IE, the first of two transition 
possibilities of IQR class 126 (i.e., Classlndex - 0 and ClassName = "IQR"), is denoted as 
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Transitionlndex = 0. As illustrated in FIG. IC, this transition occurs if no TCP packets are 
received for 1 sec. (see, Rule Ri). If the conditions of the rule associated with 
NextRulePtr of Transitionlndex = 0 are not satisfied (i.e.. Rule Rj is not matched), 
NextTransitionPtr points to the next transition, Transitionlndex = 1, which occurs if at 
5 least 2 consecutive long packets are received (see, Rule R4). If Rule R4 is not matched, 
NextTransitionPtr points to the NULL state because no other transitions are supported. 

As noted above, "NextRulePtr'' identifies the rule precipitating the transition 
executed by the class. As indicated in FIG. IE, the rules are defined in rule data structures 
158A, 158B, 168A, 168B. Rule data structures 158A, 158B, 168A, 168B may share a 
10 common set of fields. This common set of fields may be configured to include: 
"MonitorTypelndex," which identifies the type of traffic monitor used by the rule; 
"RuleType," which identifies the comparison operators used by the rule; "RuleValue," 
which represents the value the rule compares to the values observed by the traffic monitor; 
"YesMatchClassIndex," which identifies the class to be designated based on a rule match; 
15 "NextRuleConnect,'' which indicates the logical operator used to chain to another rule 
before transitioning classes; and "NextRulePtr," which identifies the next rule to be 
examined before transitioning classes. 

By way of example, consider transition data structures 156A, 156B. As indicated 
in FIG. IE, transition data structure 156A stems fi^om IQR class 126 (i.e., Classlndex = 0), 
20 which is capable of two transitions (i.e., Num_Transitions = 2), due to comphance with 
Rules Ro or Ri (see, FIG. IC). Because the rules (and transitions) are executed 
sequentially, transition data structure 156 A first points to corresponding rule data structure 
158A, which represents Rule Ro. Rule data structure 158A provides that the rule employs 
a DIFI monitor (i.e., MonitorTypeLidex = 9), which observes the inter-arrival time 
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between a current packet and a previous packet. Rule data structure 158A further provides 
that the rule employs the comparison operator (i.e., RuleType) GREATER THAN, and the 
comparison value (i.e., RuleValue) 0, thereby indicating that the inter-arrival time 
observed by the DIFI monitor has to be greater than 1 predetermined time interval (e.g., 
5 i^sec, msec, sec, etc), in order for IQR class 126 to transition back to itself (i.e., 
YesMatchClassIndex = 0, see also, FIG. IC). 

If the rule manifested by rule data structure 158A is not matched by the observed 
traffic, transition data structure 156A then points, by virtue of NextTransitionPtr, to 
transition data structure 156B, which points to rule data structure 158B representing Rule 
10 Ri. Rule data structure 158B provides that the rule employs a CLP monitor (i.e., 
MonitorTypelndex = 0), which observes the number of consecutive LONG packets. Rule 
data structure 158A further provides that the rule employs the comparison operator (i.e., 
RuleType) GREATER THAN or EQUAL TO, and the comparison value (i.e., RuleValue) 
2, thereby indicating that the number observed by the CLP monitor has to be greater than 
15 or equal 2 packets in order to effect a transition to Burst class 128 (i.e., 
YesMatchClassIndex = 1, see also, FIG. IC). 

With respect to rule data structures 168A, 168B, FIG. IE also demonstrates the 
capabiUty of chaining of rules noted above. Transition data structure 166 stems from NRT 
class 140 (i.e., Classlndex = 2), which is capable of a single transition (i.e., 
20 Num^Transitions - 1), due to compliance with Rule R2 (see, FIG. ID). Transition data 
structure 156 A points to corresponding rule data structure 168 A, which represents Rule 
R2. Rule data structure 168A provides that the rule employs a PPS monitor (i.e., 
MonitorTypelndex = 5), which calculates the average packets-per-second. Rule data 
structure 168 A further provides that the rule employs the comparison operator (i.e.. 
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RuleType) GREATER THAN, and the comparison value (i.e., RuleValue) 25, thereby 
indicating that the number observed by the PPS monitor must be greater than 25 packets in 
order to effect a transition to LRT class 136 (i.e., YesMatchCIassIndex = 0, see also, FIG. 
ID), 

5 However, rule data structure 168 A also provides that there is an additional 

condition (or rule) that must be complied with before completely transitioning into LRT 
class 136. Specifically, rule data structure 168 A includes the string, NextRuleConnect =^ 
AND, indicating that that rules or conditions manifested by rule data structure 168A are to 
chained to a subsequent rule or condition indicated by NextRulePtr. NextRulePtr points to 

10 rule data structure 168B, which provides that the subsequent rule or condition employs a 
AVG_BW monitor (i.e., MonitorTypelndex 4), which determines the average 
bandwidth. Rule data structure 168B also provides that the rule employs the comparison 
operator (i.e., RuleType) GREATER THAN, and the comparison value (i.e., RuleValue) 
50, thereby indicating that the bandwidth observed by the AVG_BW monitor must be 

15 greater than 50 Kbps in order to completely match the transition rule and effect a transition 
to LRT class 136 (i.e., YesMatchClasshidex - 0, see also, FIG. ID). 

FIG. 2A is a functional block diagram depicting Layer-7 classification system 200, 
constructed and operative in accordance with another embodiment of the present 
invention. System 200 classifies network traffic based on Layer-7 classification schemes. 

20 As indicated in FIG. 2A, system 200 comprises flow manager mechanism 202, a packet 
classification rule engine 208, a configuration file 300, and rule set 210. As will be 
described below, rule set 210, as well as the actions taken by packet classification rule 
engine 208, may be defined, initialized, and reconfigured with respect to particular traffic 
flows in configuration file 300. 
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Much like the flow manager mechanism of system 100, flow manager mechanism 
202 is configured to receive the incoming data packets, identify and track the traffic flows 
associated with the received packets, as well as monitor the traffic flow statistics. Because 
Layer-7 classification schemes operate on packet payload information, only a few packets 
5 within a traffic flow need to be examined to correctly identify the class of traffic. As such, 
flow manager mechanism 202 may identify the traffic flows by examining a 
predetermined packet or packets per flow. Flow manager mechanism 202 may include a 
flow table mechanism 204, which captures the relevant packet information, provides a 
look-up mechanism to identify which traffic flow the receive packet belongs to, and 

10 updates the captured information accordingly. Such updates may include introducing new 
traffic flows, deleting stale traffic flows, or including pointers to different flows. 

FIG. 2B depicts a data structure 250 for Layer-7 packet classification rule engine 
208. Packet classification rule engine 208 is constructed as linked list of pattern match 
rules 210A-D and performs actions to classify the received packets into their proper class 

15 in response to the information provided by flow manager mechanism 202. As such, 
classification rule engine data structure 250 enables a user to specify a configurable 
number of classes, as well as transitions between those classes, based on a configurable set 
of rules and actions. 

Classification rule engine data structure 250 may be configured to accommodate 
20 any type of IP-based traffic and, as noted above, because Layer-7 classification schemes 
operate on packet payload information, only a few packets within a traffic flow need to be 
examined. Accordingly, as indicated in FIG. 2B, after a flow of packets are received by 
flow manager mechanism 202, classification rule engine 208 searches the set of rules 
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using a packet number as an index into the data structure. As such, the rules 
corresponding to a particular packet number are searched to determine a match. 

In the illustrated embodiment, packet numbers (e.g., #i, #j) within flow A are used 
as an index. Designating packet numbers #i, #j as an index may be based on the 
knowledge that, under Layer-7 schemes, packet numbers #i, #j provide an indication as to 
the type of traffic in flow A. Such knowledge may be garnered from empirical data, 
heuristics, vendor specifications, or industry knowledge. Classification rule engine 208 
then searches the set of rules 210A-D corresponding to packet numbers #i, #j to determme 
if there is a match between the information contained in the pointed-to packets and the rule 
values. 

As noted above, Layer-7 classification rule engine 208 is constructed as Unked list 
of pattern match rules 210A-D. Rules 210A-D are designed to perform comparisons 
between the flows configured or pre-specified value. Rules 210A-D may include event 
indicia, indicating the triggering of a rule, condition indicia, representing a conditional or 
comparison string, and action indicia, indicating the execution of an action based on the 
results of the comparison. Rules 210A-D may also employ comparison operators, such as, 
GREATER THAN, GREATER THAN OR EQUAL TO, EQUAL TO, LESS THAN OR 
EQUAL TO, and LESS THAN, for example, to effect the comparisons. Rules 210A-D 
may also employ logical operators, such as, AND, OR, NAND, NOR, etc. to chain various 
rules together. 

As such, classification rule engine data structure 250 may employ pattern match 
rules 210A-D having a common set of fields. This common set of fields may be 
configured to include: "Offset," which specifies the number of bytes from the beginning of 
the pointed-to packets where traffic type information is located; "NumCharacters," which 
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indicates the number of characters, beginning at the specified Offset, that are to be 
examined and compared for pattern matching; "CLASSPattem," which identifies the 
pattern used to match the information contained in the pointed-to packet with a particular 
class; and "AppType," which identifies the particular class associated with the pointed-to 
5 packet. 

Returning to FIG. 2B, with respect to packet #i, classification rule engine data 
structure 250 points to packet #i of flow A to seek traffic type information. Upon 
accessing packet #i, classification rule engine data structure 250 searches out all the 
relevant pattern matching rules for packet #i, which for this case are rules 210A-C. 
10 Classification rule engine data structure 250 then sequentially appUes the relevant 

pattern matching rules to determine a match. For example, classification rule engine data 
structure 250 applies rule 210A, which compares the x number of characters beginning at 
Offset a of packet #i with the pattern A. If the comparison with rule 21 OA does not 
consummate in a match, classification rule engine data structure 250 skips to rule 210C for 
15 subsequent comparisons. If any of the comparisons result in a match, classification rule 
engine data structure 250 designates the class of the traffic flow (e.g., AppType) based on 
the matched pattern (e.g., CLASSPattem). A flag (not shown) is then set in the Flow 
Table 204, indicating that the entire ti-affic flow (e.g., tiraffic flow A) is to be designated as 
ti-affic class AppType and fiiture packets belonging to the traffic flow will not be 
20 examined. If no comparisons result in a match, classification rule engine data structure 
250 maintains the traffic class the same and informs Flow Table 204 to continue 
examining the data structure in accordance with the next packet number that may have an 
indication as to the type of ti-affic in the flow. 
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Classification rule engine data structure 250 also provides for the chaining of rules 
to subsequent rules. The chaining of rules is contemplated because certain application 
identification may be based on heuristics, which may require pattern matching in two or 
more successive packets. When all the rules are traversed, there is only the pointed-to 
5 packet in hand. Thus, if a successful match causes the transition to a chained rule for a 
subsequent packet, classification rule engine data structure 250 stores a pointing 
mechanism to the chained rule in Flow Table 204, All subsequent packets for that 
particular flow will no longer index off the packet-number. Instead, when the packet with 
the number corresponding to the transitioned chain rule arrives, classification rule engine 

10 data structure 250 will compare the information contained in the packet to determine a 
match. If a match exists, classification rule engine data structure 250 will either proceed 
to the next rule (if it exists) or an application type is determined. If the match is not 
successful, application type and class designation remain unchanged. 

For example, in the case where there exists a match in rule 21 OA, as indicated in 

15 the illustrated embodiment (i.e., the x number of characters beginning at Offset a of packet 
#i contain pattern A), classification rule engine data structure 250 proceeds to rule 21 OB to 
determine if there is a subsequent match (i.e., do the y number of characters beginning at 
Offset b of packet #j contain pattern B). If there is a subsequent match, classification rule 
engine data structure 250 designates the traffic class as AppType = 1; otherwise, 

20 classification rule engine data structure 250 designates the traffic class as the default class. 

In this embodiment, all traffic flows are assumed to be assigned a default 
classification when they are initially received. This default application is based on the 
Layer-4 port numbers. As such, even if the Layer-7 Classification does not yield any 
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conclusive results, Layer-7 packet classification rule engine 208 falls back on the results 
of the Layer-4 port numbers to classify the traffic flows. 

FIG. 3 depicts a packet classification rule engine configuration file 300, 
constructed and operative in accordance with aspects of an embodiment of the present 
5 invention. Configuration file 300, provides an easily modifiable interface to the 
classification rule engine, which enables a user to develop a classification algorithm, 
translate that algorithm into the set of rules supported by the rule-engine and enter the 
rules in the form of a simple granmnar into a file. The classification rule-engine on power- 
up will execute the classification algorithms. A benefit of such a configuration file and 
10 classification rule-engine is that modifying and upgrading classification algorithms is a 
matter of simply making changes to a text file rather than providing hardware or software 
upgrades. 

As indicated in FIG. 3, configuration file 300 provides an example grammar 
through which the classification rule engine may be configured as part of a bandwidth 

15 management system. In illustrated embodiment, configuration file 300 specifies the 
network device physical ports that are enabled and the bandwidth associated with each 
port. There is also a policy setting that allows the user to select the classification result 
fi"om either a static layer-7 classifier or a dynamic classifier. Both types of classifiers run 
in parallel and their results are combined to obtain a final class. 

20 The user is also allowed to specify the number of distinct classes and their names. 

In addition the scheduler type is configurable along with the scheduler parameters such as 
queue weights etc. For the Layer-7 classifier, the classification engine uses a rule to 
identify an application and then maps that application to a particular class. Finally, the 
grammar contains rules for transitioning between classes for the dynamic classifier. 
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It will be apparent to one of ordinary skill in the art that the embodiments as 
described below may be implemented in many different embodiments of software, 
firmware, and hardware in the entities illustrated in the figures. The actual software code 
or specialized control hardware used to implement the present invention is not limiting of 

5 the present invention. Thus, the operation and behavior of the embodiments will be 
described without specific reference to the actual software code or specialized hardware 
components. The absence of such specific references is feasible because it is clearly 
understood that artisans of ordinary skill would be able to design software and control 
hardware to implement the embodiments of the present invention based on the description 

10 herein. 

Moreover, the processes associated with the presented embodiments may be stored 
in any storage device, such as, for example, non-volatile memory, an optical disk, 
magnetic tape, or magnetic disk. Furthermore, the processes may be progranmied when 
the system is manufactured or via a computer-readable medium at a later date. Such a 
15 medium may include any of the forms Usted above with respect to storage devices and 
may further include, for example, a carrier wave modulated, or otherwise manipulated, to 
convey instructions that can be read, demodulated/decoded and executed by the system. 

The foregoing description of the preferred embodiments is provided to enable any 
person skilled in the art to make or use the present invention. Various modifications to 
20 these embodiments are possible, and the generic principles presented herein may be 
applied to other embodiments as well. For example, the invention may be implemented in 
part or in whole as a hard-wired circuit, as a circuit configuration fabricated into an 
application-specific integrated circuit, or as a firmware program loaded into non-volatile 
storage or a software program loaded from or into a data storage medium as machine- 
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readable code, such code being instructions executable by an array of logic elements such 
as a microprocessor or other digital signal processing unit. 

As such, the present invention is not intended to be Umited to the embodiments 
shown above but rather is to be accorded the widest scope consistent with the principles 
5 and novel features disclosed in any fashion herein. 
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WHAT IS CLAIMED 



1 1 . A data flow classification system comprising: 

2 a data flow managing mechanism configured to identify, track, and manage 

3 said data flow; 

4 a rule set including a plurality of rules for comparing information contained 

5 in said data flow with pre-specified values; 

6 a configurable classification rule engine for classifying said data flow into 

7 one of a plurality of traffic classes based on results of said comparisons between said rules 

8 and said pre-specified values; 

9 a configuration file for configuring said classification rule engine and for 

10 specifying said pre-specified values and information regarding at least one of said data 

1 1 flow, said rule set, and said plurality of traffic classes, 

12 wherein said configuration file comprises a format that allows for the 

13 modification and reconfiguration of said classification rule engine, said data flow, said 

14 rule set, and said plurality of traffic classes. 

1 2. The system of Claim 1, wherein said data flow managing mechanism includes a 

2 flow table mechanism configured to perform at least one of capturing said information 

3 contained in said data flow, mapping a packet to a data flow, identifying said data flow 

4 based on said captured information, registering active data flows, and deleting inactive 

5 data flows. 

1 3. The system of Claim 2, wherein said plurality of rules comprise a data structure 

2 including, 



23 



Pillsburv Docket No.: 0270155 



NORTEL Ref.: 12470R0 



3 event indicia for indicating the invocation of one of said rules, 

4 condition indicia for representing a comparison or condition between said 

5 one of said rules and said pre-specified values, and 

6 action indicia for indicating the execution of an action based on results of 

7 said comparison, 

1 4. The system of Claim 3, wherein said action indicia includes information for at 

2 least one of designating said data flow as one of said traffic classes and chaining to 

3 another of said rules 

1 5. The system of Claim 4, wherein said classification engine classifies said data 

2 flow into one of said traffic classes in accordance with a dynamic classification scheme. 

1 6. The system of Claim 5, wherein said data flow managing mechanism identifies 

2 said data flow as a particular type of traffic. 

1 7. The system of Claim 6, fiirther comprising a traffic monitoring mechanism 

2 configured to monitor attributes of said data flow and to provide update information to 

3 said data flow managing mechanism. 

1 8. The system of Claim 7, wherein said traffic monitoring mechanism comprises a 

2 plurality of traffic monitors, each of said traffic monitors being capable of monitoring and 

3 measuring at least one predetermined attribute of said data flow. 

1 9. The system of Claim 8, wherein said traffic monitors comprise a data structure 

2 including, 

3 identifier indicia for identifying a type of traffic monitor, and 
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4 value indicia for indicating a value measured by said traffic monitor. 

1 10. The system of Claim 9, wherein classification engine comprises a data 

2 structure including, 

3 traffic type indicia indicating the traffic type of said data flow, 

4 traffic class indicia representing the different classes of traffic 

5 corresponding to the traffic type, 

6 transition indicia indicating transitions fi"om one of said traffic classes to 
^ 7 another of said traffic classes, and 

Q 8 rule indicia containing traffic monitor information, corresponding rule 

%i 9 information, said predefined values, and transition class information, 
€110 wherein said classification engine compares said traffic monitor 

f 11 information to said rule and said predefined values to classify said data flow into a traffic 

J' 12 class corresponding to said traffic type. 

1 11. The system of Claim 4, wherein said classification engine classifies said data 

2 flow into one of said traffic classes in accordance with a Layer-7 classification scheme. 

1 12. The system of Claim 11, wherein said classification engine selects a 

2 predetermined packet fi-om said data flow containing application information. 

1 13. The system of Claim 12, wherein said classification engine comprises a data 

2 structure including, 

3 information location indicia indicating the location where said application 

4 information is contained within said predetermined packet, 
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5 character indicia defining the number of characters within said location 

6 indicia to be compared, and 

7 pattern indicia representing a pattern corresponding to a particular traffic 

8 class. 

1 14. The system of Claim 13, wherein said classification engine compares 

2 said pattern indicia to said character indicia to classify said data flow into said traffic class. 

1 1 5. A method of classifying a data flow, comprising: 

2 identifjdng, tracking, and managing said data flow by a data flow managing 

3 mechanism; 

4 comparing information contained in said data flow with a plurality of rules 

5 containing pre-specified values, said plurality of rules included in a rule set; and 

6 classifying, by a configurable classification rule engine, said data flow into 

7 one of a plurality of traffic classes based on results of said comparisons between said rules 

8 and said pre-specified values; 

9 wherein said classification rule engine is configured by a configuration file, 

10 said configuration file specifying said pre-specified values and information regarding at 

1 1 least one of said data flow, said rule set, and said plurality of traffic classes, and 

12 wherein said configuration file comprises a format that allows for the 

13 modification and reconfiguration of said classification rule engine, said data flow, said 

14 rule set, and said plurality of traffic classes. 

1 16. The method of Claim 15, wherein said data flow managing mechanism 

2 includes a flow table mechanism configured to perform at least one of capturing said 

3 information contained in said data flow, mapping a packet to a data flow, identifjdng said 
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4 data flow based on said captured information, registering active data flows, and deleting 

5 inactive data flows. 

1 17. The method of Claim 16, wherein said pluraUty of rules comprise a data 

2 structure including, 

3 event indicia for indicating the invocation of one of said rules, 

4 condition indicia for representing a comparison or condition between said 

5 one of said rules and said pre-specified values, and 

6 action indicia for indicating the execution of an action based on results of 

7 said comparison. 

1 18. The method of Claim 17, wherein said action indicia includes information for 

2 at least one of designating said data flow as one of said traffic classes and chaining to 

3 another of said rules. 

1 19. The method of Claim 18, wherein said classification engine classifies said data 

2 flow into one of said traffic classes in accordance with a dynamic classification scheme. 

1 20. The method of Claim 19, wherein said data flow managing mechanism 

2 identifies said data flow as a particular type of traffic. 

1 21. The method of Claim 20, fiirther comprising a traffic monitoring mechanism 

2 configured to monitor attributes of said data flow and to provide update information to 

3 said data flow managing mechanism. 
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1 22. The method of Claim 21, wherein said traffic monitoring mechanism 

2 comprises a plurality of traffic monitors, each of said traffic monitors being capable of 

3 monitoring and measuring at least one predetermined attribute of said data flow. 

1 23. The method of Claim 22, wherein said traffic monitors comprise a data 

2 structure including, 

3 identifier indicia for identifying a type of traffic monitor, and 

4 value indicia for indicating a value measured by said traffic monitor. 

1 24. The method of Claim 23, wherein classification engine comprises a data 

2 structure including, 

3 traffic type indicia indicating the traffic type of said data flow, 

4 traffic class indicia representing the different classes of traffic 

5 corresponding to the traffic type, 

6 transition indicia indicating transitions fi*om one of said traffic classes to 

7 another of said traffic classes, and 

8 rule indicia containing traffic monitor information, corresponding rule 

9 information, said predefined values, and transition class information, 

10 wherein said classification engine compares said traffic monitor 

1 1 information to said rule and said predefined values to classify said data flow into a traffic 

12 class corresponding to said traffic type. 

1 25. The method of Claim 18, wherein said classification engine classifies said data 

2 flow into one of said traffic classes in accordance with a Layer-7 classification scheme. 
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1 26. The method of Claim 25, wherein said classification engine selects a 

2 predetermined packet from said data flow containing application information. 

1 27. The method of Claim 26, wherein said classification engine comprises a data 

2 structure including, 

3 information location indicia indicating the location where said application 

4 information is contained within said predetermined packet, 

5 character indicia defining the number of characters within said location 

6 indicia to be compared, and 

7 pattern indicia representing a pattern corresponding to a particular traffic 

8 class. 

1 28. The method of Claim 27, wherein said classification engine compares said 

2 pattem indicia to said character indicia to classify said data flow into said traffic class. 

1 29. A machine-readable medium encoded with a plurality of processor-executable 

2 instruction sequences for classifying a data flow, said instruction sequences comprising: 

3 identifying, tracking, and managing said data flow by a data flow managing 

4 mechanism; 

5 comparing information contained in said data flow with a plurality of rules 

6 containing pre-specified values, said plurality of rules included in a rule set; and 

7 classifying, by a configurable classification rule engine, said data flow into 

8 one of a plurality of traffic classes based on results of said comparisons between said rules 

9 and said pre-specified values; 
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10 wherein said classification rule engine is configured by a configuration file, 

1 1 said configuration file specifying said pre-specified values and information regarding at 

12 least one of said data flow, said rule set, and said plurality of traffic classes, and 

13 wherein said configuration file comprises a format that allows for the 

14 modification and reconfiguration of said classification rule engine, said data flow, said 

15 rule set, and said plurality of traffic classes. 

1 30. The machine-readable medium of Claim 29, wherein said data flow managing 

2 mechanism includes a flow table mechanism configured to perform at least one of 

3 capturing said information contained in said data flow, mapping a packet to a data flow, 

4 identifying said data flow based on said captured information, registering active data 

5 flows, and deleting inactive data flows. 

1 31. The machine-readable medium of Claim 30, wherein said plurality of rules 

2 comprise a data structure including, 

3 event indicia for indicating the invocation of one of said rules, 

4 condition indicia for representing a comparison or condition between said 

5 one of said rules and said pre-specified values, and 

6 action indicia for indicating the execution of an action based on results of 

7 said comparison. 

1 32. The machine-readable medium of Claim 31, wherein said action indicia 

2 includes information for at least one of designating said data flow as one of said traffic 

3 classes and chaining to another of said rules. 
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1 33. The machine-readable medium of Claim 32, wherein said classification engine 

2 classifies said data flow into one of said traffic classes in accordance with a dynamic 

3 classification scheme, 

1 34. The machine-readable medium of Claim 33, wherein said data flow managing 

2 mechanism identifies said data flow as a particular type of traffic. 

1 35. The machine-readable medium of Claim 34, further comprising a traffic 

2 monitoring mechanism configured to monitor attributes of said data flow and to provide 

3 update information to said data flow managing mechanism. 

1 36. The machine-readable medium of Claim 35, wherein said traffic monitoring 

2 mechanism comprises a plurality of traffic monitors, each of said traffic monitors being 

3 capable of monitoring and measuring at least one predetermined attribute of said data 

4 flow. 

1 37. The machine-readable medium of Claim 36, wherein said traffic monitors 

2 comprise a data structure including, 

3 identifier indicia for identifying a type of traffic monitor, and 

4 value indicia for indicating a value measured by said traffic monitor. 

1 38. The machine-readable medium of Claim 37, wherein classification engine 

2 comprises a data structure including, 

3 traffic type indicia indicating the traffic type of said data flow, 

4 traffic class indicia representing the different classes of traffic 

5 corresponding to the traffic type, 
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6 transition indicia indicating transitions from one of said traffic classes to 

7 another of said traffic classes, and 

8 rule indicia containing traffic monitor information, corresponding rule 

9 information, said predefined values, and transition class information, 

10 wherein said classification engine compares said traffic monitor 

1 1 information to said rule and said predefined values to classify said data flow into a traffic 

12 class corresponding to said traffic type. 

1 39. The machine-readable medium of Claim 32, wherein said classification engine 

2 classifies said data flow into one of said traffic classes in accordance with a Layer-7 

3 classification scheme. 

1 40. The machine-readable medium of Claim 39, wherein said classification engine 

2 selects a predetermined packet from said data flow containing application information. 

1 41. The machine-readable medium of Claim 40, wherein said classification engine 

2 comprises a data structure including, 

3 information location indicia indicating the location where said application 

4 information is contained within said predetermined packet, 

5 character indicia defining the number of characters within said location 

6 indicia to be compared, and 

7 pattern indicia representing a pattern corresponding to a particular traffic 

8 class. 
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1 42. The machine-readable medium of Claim 41 , wherein said classification engine 

2 compares said pattern indicia to said character indicia to classify said data flow into said 

3 traffic class. 
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CONFIGURABLE RULE-ENGINE FOR LAYER-7 
AND TRAFFIC CHARACTERISTIC-BASED CLASSIFICATION 

ABSTRACT OF THE DISCLOSURE 

5 

A system and method for data flow classification based on a configurable rule- 
engine, is presented herein. In accordance with an embodiment of the invention, the 
system includes a data flow managing mechanism configured to identify, track, and 
manage the data flows and a rule set, which includes a plurality of rules for comparing 

10 information contained within data flow with pre-specified values. The system also 
includes a configurable classification rule engine for classifying the data flows into one of 
a plurality of traffic classes based on results of the comparisons. The configurable 
classification rule engine is configured via a configuration file that specifies and allows for 
the modification and reconfiguration of the pre-specified values and information regarding 

1 5 the data flows, the rule set, and the traffic classes. 
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In The United States Patent and Trademark Office 



In re Patent Application of: 



Nabil SEDDIGH etal. 



: (Pillsbury Docket No. 0270 1 55) 



Application No.: (Unassigned) 



: Group: (Unasssigned) 



Filed: November 22, 2000 



Examiner: (Unassigned) 



Title: CONFIGURABLE RULE-ENGINE 
FOR LAYER-7 and TRAFFIC 
CHARACTERISTIC-BASED 
CLASSIFICATION 



November 22, 2000 



DRAWING CHANGE AUTHORIZATION REQUEST 



Hon. Commissioner of 
Patents and Trademarks 
Washington, D. C. 20231 

Sir: 

Authorization is requested to chagne Figs. 2A and 2B as indicated in red on the 
attached sheet. 



DSL:ERH/nnb 

1 100 New York Ave., N.W. 
Ninth Floor, East Tower 
Washington, D. C. 20005-3918 
Tel. (202) 861-3000 
Fax: (202)822-0944 



Respectfully submitted. 



PILLSBURY MADISON & SUTRO LLP 

iNTELLECTUAIyfROPERTY GROUP 




Reg. No. 28,872 
Phone: (202)861-3527 



30120026_I.DOC 
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IP CIP/PCT NATIONAL/PLANT DECLARATION AND POWER OF ATTORNEY FORM 

ORIGINAUSUBSTITUTE/SUPPLEMENT/iL FOR PATENT APPLICATION 

DECLARATIONS ' IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

As a below named inventor, I hereby declare that my residence, post office address and citizenship are as stated below next to my name, and I 
believe I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint inventor (if plural names are listed 
below) of the subject matter which is claimed and for which a patent Is sought on the INVENTION ENTITLED CONFIGURA BLE RULE-ENGINE 
FOR LAYER-7 AND TRAFFIC CHARACTERISTIC-BASED CLASSIFICATION 

the specification of which (CHECK a pplicable BOXfEST) 
X A. 13 is attached hereto. 

BOX(ES) B. □ was fiied on . as U.S. Application No. / 

C.DwasfiledasPCT International Application No. PCI/ / on 

and (if applicable to U.S. or PCI application) was amended on 

I hereby state that I have reviewed and understand the contents of the above identified specification, including the claims, as amended by any amendment referred to 
above. I acknowledge the duty to disclose all information known to me to be material to patentability as defined in 37 C.F.R. 1 .56. Except as noted below, I hereby claim 
foreign priority benefits under 35 U.S.C. 1 19(a)-(d) or 365(b) of any foreign application(s) for patent or inventor's certificate, or 365(a) of any PCT International 
Application which designated at least one other country than the United States, listed below and have also identified below any foreign application for patent or inventor's 
certificate, or PCT International Application, filed by me or my assignee disclosing the subject matter claimed in this application and having a filing date (1) before that of 
the application on which priority is claimed, or (2) if no priority claimed, before the filing date of this application: 

PRIOR FOREIGN APPLICATION(S) Date first Laid- Date Patented 

Number Country Dav/MONTH/Year Filed open or Published or Granted Priority NOT Claimed 



If more prior foreign applications. X box at bottom and continue on attached page. 

Except as noted below, I hereby claim domestic priority benefit under 35 U.S.C. 1 1 9(e) or 120 and/or 365(c) of the Indicated United States applications listed below and 
PCT international applications listed above or below and, if this is a continuation-in-part (CIP ) application, insofar as the subject matter disclosed and claimed in this 
application is in addition to that disclosed in such prior applications, I acknowledge the duty to disclose all infonnriation known to me to be material to patentability as 
defined in 37 C.F.R. 1 .56 which became available between the filing date of each such prior application and the national or PCT international filing date of this 
_ application: 

1? PRI0R U.S. PROVISIONAL. NONPROVISIONAL AND/OR PCT APPLICATIONfSl Status Priority NOT Claimed 

^Application No, fseries code/serial no.) Dav/MONTH/Year Filed pending, ab andoned, patented 



fl ill hereby declare that all statements made herein of my own knowledge are taie and that all statements made on infomiation and belief are believed to be true; and 
^further that these statements were made with the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, under 
yjsection 1001 of Title 18 of the United States Code and that such willful false statements may jeopardize the validity of the application or any patent issued thereon. 

' ""'And I hereby appoint Pillsbury Madison & Sutro LLP, Intellectual Property Group, 1 100 New York Avenue, N.W., Ninth Floor, East Tower, Washington, D.C. 20005-3918, 
^ telephone number (202) 861-3000 (to whom all communications are to be directed), and the below-named persons (of the same address) individually and collectively my 
i„^attomeys to prosecute this application and to transact all business in the Patent and Trademaric Office connected therewith and with the resulting patent, and 1 hereby 
^"^authorize them to delete names/numbers below of persons no longer with their firni and to act and rely on instructions from and communicate directly with the 
M^person/assignee/attomey/finn/ organization who/which first sends/sent this case to them and by whom/which I hereby declare that I have consented after full disclosure 
:to be represented unless/until I instmct the above Firm and/or a below attorney in writing to the contrary. 



L?!PaulN.Kokulis 16773 

I y Raymond F, Lippitt 1 751 9 

rlG. Lloyd Knight 17698 

31 Kevin E. Joyce 20508 

^ George M. Sirilla 1 8221 

Donald J. Bird 25323 

Peter W. Gowdey 25872 

Dale S. Lazar 28872 



Paul E. White, Jr. 
Glenn J. Perry 
Kendrew H. Colton 
G. Paul Edgell 
Lynn E. Eccleston 
Timothy J. Klima 
David A. Jakopin 
Mark G. Paulson 



3201 1 Stephen C. Glazier 

28458 Ruth N. Morduch 

30368 Richard H. Zaitlen 

24238 Roger R. Wise 

35861 Jay M. Finkelstein 

34852 Michael R. Dzwonczyk 

32995 W. Patrick Bengtsson 

30793 Jack S. Barufka 



31361 
31044 
27248 
31204 
21082 
36787 
32456 
37087 



Adam R. Hess 
William P. Atkins 
Paul L. Sharer 



41835 
38821 
36004 



(1 ) INVENTOR'S SKaNATUHE: / 

1 Nabil ' 




Til 1 SEDDIGH 










^ ;4ffBP^i'hL ; . \iamitf Name 


Residence 1 North Gower, Ontario 


1 Canada 


1 Canada 










Post Office Address 


P. O. Box 421, North Gower, Ontario, Canada 


(include Zip Code) 


KOA2T0 


1 




(2) INVENTOR'S SIGNATURE: PvTs^vA^wA 




Date: /xfliv' 5 ^ U^TO 


1 Biswajit 




1 B. 1 NANDY 












Residence I Kanata, Ontario 




1 Canada 


j India 










Post Office Address 


42 Grengold Way, Kanata, Ontario, Canada 


(include Zip Code) 


K2T1E2 


1 





FOR ADDITIONAL INVENTORS, "X" box ^ and proceed on the attached page to list each additional inventor. 
□ See additional foreign priorities on attached page (incorporated herein by reference). 

Atty, Dkt. No. PM270155 (12470RO) 



{M#) 



PAT.11fiS/nO 



DECLARATION AND POWER OF ATTORNEY 

\ (continued) 

ADDiTJ QNAL4NVENT0RS : 




Date: AJ^ / . 



1 Don 


1 W. 1 BENNETT 














I Canada 


1 Canada 










719-1330 Richmond Road, Ottawa, Ontario. Canada 


(include Zip Code) 


K2B8J6 


1 




(4) INVENTOR'S SIGNATURE: 




/ 1_ Date: 


1 Yaiun 




1 ILIU 










Residence 1 Nepean. Ontario 




1 Canada 


1 Canada 






■ "|: . *slteff'<weihCbin&v -Cm 




Post Office Address 


108-47 Deerfield Drive, Nepean, Ontario, Canada 


(include Zip Code) 


K2G 3R7 


1 




(5) INVENTOR'S SIGNATURE: 




Date: 




1 Dabin 




1 1 WANG 






.#::.jM«rMiddi^ai.jr...-?i?*'-.,i#' . "P^ 


. -I;0^Fimi!v l^arri^ ''''' . fi2R% ' ' ' ' ^ 






1 Canada 


1 Canada 






;var '-lie • '■'"•Ms-iliteF^kH'c&r 




Post Office Address 


921-1339 Meadowlands Drive East, Nepean, Ontario, Canada 


(include Zip Code) 


K2E 7B4 






Qe) INVENTOR'S SIGNATURE: 




Date: 








F. ^ 1 CAO 




|1 1 Carl 












1 Canada 


1 Canada 










4 sPost Office Address 


36 Castleton Street, Nepean, Ontario, Canada 


pinclude Zip Code) 


K2C 5N1 


1 




111(7) INVENTOR'S SIGNATURE: 




Date: 




. 1 II 


















^ '^Post Office Address 




:! (include Zip Code) 




1 




n(8) INVENTOR'S SIGNATURE: 




Date: 




1 1 1 










Residence 1 
















Post Office Address 




(include Zip Code) 




1 




(9) INVENTOR'S SIGNATURE: 




Date: 




1 II 














1 












Post Office Address 




(include Zip Code) 


1 
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Rule 56(a) & (b) = 37 C.F.R. 1.56(a) & (b) 
PATENT AND TRADEMARK CASES - RULES OFiPRACTtCE 
DUTY OF DISCLOSURE 




(a) ...Each individual associated with the filing and prosecution of a patent application has a duty of candor and 
good faith in dealing with the [Patent and Trademark] Office, which includes a duty to disclose to the Office all 
information known to that individual to be material to patentability... (b) information is material to patentability 
when it is not cumulative and (1) It also establishes by itself, or in combination with other information, a prima 
facie case of unpatentability of a claim or (2) refutes, or is inconsistent with, a position the applicant takes in- (i) 
Opposing an argument of unpatentability relied on by the Office, or (ii) Asserting an argument of patentability 



§102. Conditions for patentability; novelty and loss of right to patent 

A person shall be entitled to a patent unless- 

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this 
or a foreign country, before the invention thereof by the applicant for patent or 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of the application for patent in the United States, or 

(c) he has abandoned the invention, or 

(d) the invention was first patented or caused to be patented, or was the subject of an inventor's certificate, by the 
applicant or his legal representatives or assigns in a foreign country prior to the date of the application for patent 
in this country on an application for patent or inventor's certificate filed more than twelve months* before the filinq 
of the application in the United States, or 



ji^(e) the invention was described in a patent granted on an application for patent by another filed in the United States 

Si before the invention thereof by the applicant for patent, or on an international application by another who has 

H fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention thereof 

%j by the applicant for patent, or 

If^ he did not himself invent the subject matter sought to be patented, or 

'SPSS' 

;-(g) before the applicant's invention thereof the invention was made in this country by another who had not 
abandoned, suppressed, or concealed it. In determining priority of invention there shall be considered not only 

J 7 the respective dates of conception and reduction to practice of the invention, but also the reasonable diligence of 
one who was first to conceive and last to reduce to practice, from a time prior to conception by the other. 



^103- Condition for patentability; non-obvious subject matter 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth ii 
section 102 of this title, if the differences between the subject matter sought to be patented and the prio 



art are such that the subject matter as a whole would have been obvious at the time the invention was 
made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall 
not be negatived by the manner in which the invention was made 

bject matter developed by another person, which qualified as prior art only under subsection (f) or (g) of 
section 102 of this title, shall not preclude patentability under this section where the subject matter and the 
claimed invention were, at the time the invention was made, owned by the same person or subject to an 
obligation of assignment to the same person. 



PATENT LAWS 35 U.S.C. 



* Six months for Design Applications (35 U.S.C. 172). 



PAT-llfi'i/Dn 



